Which monitor or sniffer software would work with CBT

I tried Wireshark but the regular version doesn't do Can-bus on Windows, the Linux version seems to be able to. For this car stuff I use an old XP laptop. The funny thing is that a lot of companies supply software but they all use special drivers for some kind of hardware.

I tried:
Wireshark (no CANBUS on Windows)
CANUSB (needs dedicated driver/hardware)
Canhacker (I don't think this will work over an Arduino or CBT)
Busmaster (the professional tool but only supports specific hardware)

Unless Derek comes up with something quickly (no I'm not pushy ;-) I probably going for a Logic Analyzer as well. On Jaguars you have the SCP bus (J1850 PWM) which is used for the convenience stuff and I need to analyse that too.

My car has 4 systems in total:

ISO9141 for OBDII
SCP (J1850 PWM) for most of the body/chassis stuff
CANBUS for the engine/transmission/abs and several other modules
D2D glasfiber bus for audio (connected from the SCP bus)

I have plans enough for all of them but getting the tools just to start analyzing is a project itself!

Does anybody have experiences with Logical Analyzer? I found these but not sure what is the best for both J1850 PWM and CANBUS.


Would also be interested in info on using a CANBUS database for lookup.

I've been testing with Wireshark and <a href="http://desowin.org/usbpcap/tour.html">USBPcap</a> on recoded data. While it works, it only analyses the USB packets down to layer - Leftover Capture Data: 0301022500ff00000000004008010d

While it fairly usable / sortable at this level with hex, it ofter skews the data where Packet Data Lengths overlaps like - Leftover Capture Data: ff:00:00:00:80:08:01:0d:03:01:02:25:00:ff:00:00:00:00:00:40:08:01
I have setup some filters to show only correctly formatted packets lengths, starting with 0301. But Wireshark still does not recognize them as CANbus. Thinking need to strip the start 0301, and 0d off the end by modifying the codes in the CBT. Then it might reconize them as CANbus protocol. But wanted to ask Derek about this first.

I also was reading about <a href="https://github.com/dschanoeh/socketcand">socketcan</a> and wondering if it could be coded into the CBT. If so, might be the fix.

Here is how wireshark expects to see the packets formatted to decode and filter them as "CAN". The current dump from CBT would need to be reconfigured and then tested with USBPcap on windows to see if it works. Anyone??

<b>CAN - Controller Area Network (can) [5 fields]:</b>
can.id Identifier (Unsigned integer, 4 bytes)
can.flags.xtd Extended Flag (Boolean)
can.flags.rtr Remote Transmission Request Flag (Boolean)
can.flags.err Error Flag (Boolean)
can.len Frame-Length (Unsigned integer, 1 byte)

To advanced for me I'm afraid. I'm a car guy, not a programmer.

Hope someone will be able to help or make the CBT compatible with other packages on the market. The one in the video appeals to me because of its possibilities.

I'm not a programer either, but think it should be pretty easy to modify the existing serial code to fit this format.


Once I get the hybrid app done I'm going to focus on making firmware that is compatible with something like wireshark and I'd love to make a socketcan driver over USB!


I've been digging into this more. I'm going to finish the app that is cross platform so everyone has something to use. Then I'll focus on new firmware for socketcan as it only really works on linux. But then we can connect to analyzers like wireshark easily.

Sounds good. I've had some decent experience with Wireshark on windows by creating filters like ((((usb.data_len == 15) ))) && (usb.capdata contains 03:02:06:08) to sort live USBcap data. Problem is that Wireshark only dissects down to USB level with
<i>Leftover Capture Data: 030206087f4a0d25d2015f0008010d</i> .. If that message was in a standard CAN serial format without the CBT headers, I think Wirshark would recognize and dissect it under one the include CAN protocols.

Also the USB protocol coming from USBcap doesn't do a great job of reassembling the messages by length either. Some come in short, others super long. So sorting by length is cleaner, but also easy to miss packets your after. So it works OK with HEX, but with JSON string I've had zero luck in Wirshark.

Derek, don't be such a tease. Haha

How did you get that set up?


Just pushed the code up to github. It definitely needs some cleanup but it works well so far. If you guys could test on Windows that would be awesome!


Readme has setup instructions. This module will be included in the desktop app so people will be able to run it without installing Nodejs. But for now you'll need to do it the hard way by installing a system copy of Nodejs. If you're unfamiliar with Nodejs you should be able to just use an installer from here:

Finally, a productive weekend! I've got a ton done on the app and kicked this out in a couple hours after some research on the Pcap format. Hopefully I'll have the beta of the desktop app posted shortly as well! :D


Also I should mention RTR Eflg and Extended flag are not correct right now, as the current firmware does not report them.

I'm going to make a socketcan firmware when time permits so that would make this even easier.

Edit: I just published it to NPM as well, so you can rock a 'npm install cbt-wireshark' to pull it down if you're node-savvy.

What directory does Nodejs want to see your .js files installed? Haven't been able to make it happy yet.


Any folder. Checkout the code, CD to the folder and run npm install; node index.js /compath


Sorry I should have mentioned you need to do it from a command line/terminal. What platform are you on? Any luck getting it going?

When I get the app out this will be built in a dead simple to use. But it's good to get some testing in now before I merge them.

Finding the correct compath that CBT is connected to under XP is where I'm having issues. With USBPcapCMD.exe it lists this for you, but been unable to accomplish the same under node.js
From USBPcap is shows the CBT at \.\USBPcap4

5 \.\USBPcap4
[Port 1] USB Composite Device
Arduino Leonardo (COM16)
USB Human Interface Device
HID-compliant mouse
HID Keyboard Device

So I have use a simple batch file to start it on XP as below.

<i>CD C:\Program Files\USBPcap
USBPcapCMD.exe -d \.\USBPcap4 -o - | "C:\Program Files\Wireshark\Wireshark.exe" -k -i -</i>

Determining the actual path Node.js needs is where I'm currently at.


Ok I need to jump on a windows box and figure this out. You should be able to just run the js file with node and it will setup the pipe for you. The nodejs installed should add Nide to your path in windows but I can't be sure of that right now. I'll report back

Derek, I tried Wireshark on Mac, I need to solve one last thing to get it working I thing, any ideas? My findings are described here:


I just had a chance to test the pipe script for windows and found one little bug. It works well on windows now as well as mac! :)

On windows once you install Nodejs just start the nodejs command prompt, cd /path/to/code from github and run 'node index COM3' or whatever your com port is. Then setup wireshark as shown in the readme.

OK I finally got it running. :D/

I had to do it slightly different on my Windows XP box from what's listed above. So for all us windows users who don't write java code, or use git very often, here is the EASY way I got it running...

<b>1.</b> Go download the latest CBT to Wireshark code in zip format at https://github.com/CANBus-Triple/CANBus-Triple-Wireshark
<b>2.</b> Unzip the files anywhere you like. Will create the folder <i>CANBus-Triple-Wireshark-master</i> which contains the .js files.
<b>3.</b> Create a easy to find directory/folder, I used C:\WSCBT
<b>4.</b> Copy or move all the files from <i>CANBus-Triple-Wireshark-master</i> to <i>WSCBT</i> folder.
<b>5.</b> Open the <u>Node.js Command Prompt </u> window.
<b>6.</b> Type <b>CD C:\WSCBT</b> and now you should be at <i>C:\WSCBT></i>
<b>7.</b> Now type <b>npm install</b> which should give you.

<i>C:\WSCBT>npm install
npm WARN package.json index@0.4.0 No repository field.
npm WARN package.json node.js@0.0.0 No repository field.
q@1.2.0 node_modules\q</i>

<b>8.</b> Now type <b>node index COM2</b> replacing COM2 with what ever COM port your CBT is currently connected. This should return

<i>C:\WSCBT>node index COM2
Socket bound: \?\pipe\cbtbus1
Logging enabled on all three busses</i>

<b>9.</b> Now open WireShark and setup as listed
Click Capture
Click Interfaces
Click Options
Click Manage Interfaces
Select the Pipes Tab
Click New
Enter<b> \?\pipe\cbtbus1</b> where it says Pipe
Click Save, then Close
Uncheck all the interface buttons at top, except for the one with \?\pipe\cbtbus1

If everything is working correct, Wireshark should now be GREEN and start logging all data. If not, it will give you an error message. Also back in the Node.js Command Prompt window, the last line should be <i>client connected</i>

You may not need to do the <b>npm install</b> command, but in my case, just typing <b>node index COM2</b> wasn't working, and this way finally did... After doing it that way once, I've been able skip that npm install part and it opens fine.. Who knows...

Hope that helps speed it up for everyone else.


  • 37
  • 26350

Looks like your connection to CANBus Triple was lost, please wait while we try to reconnect.